22年国赛单机取证

Evidence4

先搜索Evidence

找到一个

Evidence4nsOh2.pngf5b9ce3e485314c23c40a89d994b2dc8

Evidence2

之后再一个个找

这个是压缩包格式的

导出来

伪加密

修复一下

Evidence2ZQOo2.jpg9e69763ec7dac69e2c5b07a5955a5868

Evidence3

png的文件

改个宽高

Evidence3p3qQ4.jpga9a18aecec905a7742042461595b4b5c

Evidence6

mp3的格式

png的格式

再对照表就好

Evidence6mkjRv.7ze610fcd2a0cd53d158e8ee4bb088100a

Evidence5

这个也是错误格式

strings得到

IV3GSZDFNZRWKNI=

Evidence5RVlYt.zipd6638c17b2e700397ab2e02cbd079dae

Evidence9

Evidence9jMH7w.xlsx523c407180d54dde6eca700405599c8a

Evidence7

png格式的

Evidence7OR8iq.xml28ba933c31fd60f8c4461aed14a8c447

Evidence10

Evidence1001d98.gifd708444963b79da344fd71e5c72f7f02

Evidence1

Evidence1eg2kX.jpg85cdf73518b32a37f74c4bfa42d856a6

Evidence8

Evidence88cFQj.py7fccfb1778b15fbc09deb6690afc776a

2023福建省单机取证

evidence 10

直接搜索找到了evidence 10

Evidence10topy.docx04b87697a5fd9e168ced165d21d177e3

evidence 7

png后缀

改高度得到

evidence 7wb.zipcdc07e85116b037c40351c49da6eb35a

evidence 1

evidence 1sys.dlld3c5335367e17b966a13e2663235a1ff

evidence 5

zip文件

补全文件头

解压得到jpg文件

evidence 5tmpda5d01d2f7e8c37ab1c1857be587ad74

evidence 2

evidence 2tag43168b2bdf149526b8bb8b89f1b06cc1

evidence 3

有隐藏图片，不过没用

strings hack.png | tail -60

echo IV3GSZDFNZRWKMYK | base32 --decode

evidence 3hack.png1308b0d65360eba6a47224733f13ca84

evidence 4

lsb隐写

evidence 4sea.png1c990420fc307c7bd2b65396c5e5e13f

evidence 8

evidence 8display8b2da168f3221d343c4e3f1aceed3e88

evidence 9

.7z文件

解压是bmp格式图片

evidence 9z.x14046db8621b2aca9ffced76d23cc6e9

evidence 6

evidence 6cve.xlsxc2b9d953d7e04c8e0d08fee3bd4513cd